tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Lim <mark_...@symantec.com>
Subject migrating Tomcat 5.5 SSL Connector to 7.0
Date Sat, 07 Jan 2012 00:05:09 GMT
We are in the process of upgrading Tomcat 5.5 to Tomcat 7.0.  These Tomcat deployments use
a custom FIPS 140-2 certified JSSE implementation for their SSL Connectors.

In Tomcat 5.5, the Connectors are configured like this:

  <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the installer (default
41443) -->
   <Connector port="41443" minProcessors="5" maxProcessors="75"
             enableLookups="true" disableUploadTimeout="true" redirectPort="41443"
             acceptCount="100" debug="0" scheme="https" secure="true" connectionTimeout="60000"
             useURIValidationHack="false" clientAuth="false" sslProtocol="SSLv2Hello,TLSv1"
             ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
             keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore"
             SSLImplementation="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation"
/>

which works fine. ( a listener appears on 41443 and one can do HTTPS to it)

In Tomcat 7.0.23 we are trying to use

  <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the installer (default
41443) -->
  <Connector port="41443" enableLookups="true" disableUploadTimeout="true" redirectPort="41443"
acceptCount="100" scheme="https" secure="true" connectionTimeout="60000" clientAuth="false"
sslProtocol="SSLv2Hello,TLSv1" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore" sslImplementationName="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation"
SSLEnabled="true"/>

but this does not work (no listener appears on 41443) and catalina.out has this:

Jan 6, 2012 8:09:14 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-41443]]org.apache.catalina.LifecycleException:
Failed to initialize component [Connector[HTTP/1.1-41443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
        at org.apache.catalina.core.StandardService.initInternal(StandardService
.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
ava:781)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown
Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initializati
on failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
39)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        ... 12 more
Caused by: java.io.IOException: SSLv2Hello,TLSv1 SSLContext not available
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
37)
        ... 13 more
Caused by: java.security.NoSuchAlgorithmException: SSLv2Hello,TLSv1 SSLContext n
ot available
        at sun.security.jca.GetInstance.getInstance(Unknown Source)
        at javax.net.ssl.SSLContext.getInstance(Unknown Source)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JS
SESocketFactory.java:488)        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:448)
       ... 19 more

It seems that tomcat is trying the default JSSE implementation despite the sslImplementationName
attribute being set.  Are there internal precedence controls or does the classloader hierarchy
matter or what?


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message